Microsoft Systems Management Server 2.0 Training Kit
After this lesson, you will be able to
- Use Network Monitor to capture local and remote network traffic.
- Configure and run Experts against captured data.
- Configure and run the Network Monitor Control Tool.
The SMS 2.0 CD-ROM includes the Network Monitor console application and the Network Monitor Agent version 2 for Windows NT/2000. The console provides the user interface for viewing traffic on the network. Figure 7-6 shows the Network Monitor interface and how the Network Monitor captures packets from local and remote segments.
Figure 7-6. Monitoring local and remote segments.
- The agent collects frames from the local segment that are viewed through Network Monitor.
- To analyze traffic on network segments that are remote to the Network Monitor, a remote agent must be used.
An agent can be active on the computer running the Network Monitor in order that local network traffic be captured. The agent may also be run on another computer on the local segment. When the agent is run on a computer other than the computer running Network Monitor, the agent is referred to as remote. When a remote agent is used, it stores copies of local frames in a buffer and forwards the session summary statistics to the Network Monitor console.
A remote agent is selected from the Capture - Networks menu item in Network Monitor.
In this case, the agent is remote with respect to the Network Monitor and is local with respect to the segment being monitored. Again, the remote agent is selected from the Capture - Networks menu item in Network Monitor.
Installation of the Network Monitor varies depending on the operating system. The Network Monitor and Network Monitor Agent version 2 driver are installed through the SMS 2.0 Setup program, or after installation by running SETUP.EXE from the \NMEXT directory on the SMS 2.0 installation CD-ROM. The Windows 2000 installation CD-ROM includes the Network Monitor Agent version 2 driver. Monitors and experts are included in the version of Network Monitor bundled with SMS 2.0.
Windows 95/98 and Windows for Workgroups can run previous versions of Network Monitor, but may not run the version of Network Monitor or the Network Monitor Agent version 2 included with SMS 2.0. On Windows 95/98 computers, Network Monitor is installed through a setup program contained on SMS version 1.2 CD-ROM in the \NMEXT\DISK1 directory. The agent driver is installed as a network component in the Windows 95/98 Network dialog box from the Windows 95/98 installation CD-ROM.
The SMS 1.1 CD-ROM contains the \NMEXT\DISK1 directory, which can be used to install the Network Monitor on a Windows for WorkGroups computer. After installing the Network Monitor, the Win32s components must be reinstalled for the Network Monitor to function properly.
NOTE
The versions of Network Monitor for Windows for Workgroups and for Windows 95/98 do not include Experts or the Network Monitor Control Tool.
Starting Network Monitor
There are three ways to start Network Monitor and the Network Monitor Control Tool: by selecting Network Monitor or the Network Monitor Control Tool from the Tools node in the SMS Administrator console; by selecting one of the shortcut icons in the SMS program group; or by using the Windows NT command line `Start' option. The syntax for the Network Monitor command is:
netmon [options] |
Network Monitor and the Network Monitor Control Tool are found in the \SMS\NETMON\platform directory on site servers. If the SMS Network Monitor is installed on a non-site server, it is found in the \SMSADMIN\ NETMON\platform directory. There are number of command line options that can be specified when running netmon from the command prompt. For example, start netmon /remote:nts2 instructs Network Monitor to find and use the computer named NTS2 to capture packets using the Network Monitor Agent driver. Other command line options are listed in the Network Monitor help file under the page titled "Start Network Monitor from a Command Line."
The command line command that runs the Network Monitor Control Tool is:
mcsui |
NOTE
There is no need to type start before the netmon or mcsui command, as specified in the help documents included with SMS 2.0.
Configuring Network Monitor Security
Network monitoring, commonly referred to as packet sniffing, exposes data in frames that are traversing the network. Unauthorized use of the Network Monitor to collect and examine network data compromises the security of the network. Previous versions of the Network Monitor Agent driver included password security to control who could use the agent to collect frames. In SMS 2.0, running Network Monitor is controlled centrally using the Security Monitor. Security Monitor is one of the monitors included with the Network Monitor Control Tool.
When Network Monitor is running, the Network Monitor Agent driver broadcasts a security packet stating that it is running. If a computer running the Network Monitor has not been included on the Security Monitor Configuration page (Figure 7-7), Security Monitor sends a frame to the computer running the agent driver that forces the Network Interface Card (NIC) out of promiscuous mode. The Network Monitor Agent driver then empties the local capture buffer and destroys the capture file.
To configure the security monitor, start the Network Monitor Control Tool and select Security Monitor (labeled 1 in Figure 7-7). After enabling the Security Monitor, select it from the `Enabled Monitors' box (2). Click the Configure button (3) to display the Configure Security Monitor 1 dialog box. Add NIC hardware addresses to the `Valid MAC Addresses' box (4).
Figure 7-7. Configuring Security Monitor from the Network Monitor Control Tool.
Security Monitor watches for security packets from all instances of the Network Monitor Agent driver on the local network segment. To monitor unauthorized attempts to capture network data on remote segments, ensure that an instance of Security Monitor is running on each network segment.
Capturing and Displaying Frames
The Network Monitor user interface is divided into four sections as shown in Figure 7-8 and described next.
Figure 7-8. The Network Monitor application displaying frame statistics.
- The bar graph displays activity currently taking place on the network, such as the percentage of network utilization at the time of capture.
- The session statistics section displays statistics about individual conversations currently taking place on the network, such as the number of frames initiated in each direction.
- The station statistics section displays statistics about conversations on the network, such as the total number of broadcast packets sent from and to a particular network address.
- A summary statistics section includes information on total network utilization, statistics on frames, bytes, broadcasts, and multicasts per second, and statistics for individual computers.
Network Monitor automatically builds an address database of "friendly names" to help identify individual stations. Captures are filtered based on computer address (or address pairs), protocols, or data patterns within the frame. These friendly names appear in the session statistics, and station statistics sections in place of the network adapter card addresses. For example, in Figure 7-8 the computer named NTS2 is displayed with its NetBIOS computer name.
Creating Filters and Triggers
Filtering can be used before a capture is initiated and after the capture has been completed. Filters configured before a capture begins are called capture filters. Filters configured after data has been captured are called display filters.
Filters are defined in the Capture Filter dialog box, as shown in Figure 7-9. This dialog box is accessed from the Capture menu, `Filters' option in Network Monitor.
Figure 7-9. The Capture Filter dialog box in Network Monitor.
When `SAP/ETYPE = Any SAP or Any ETYPE' is selected, you use the edit button to enable or disable protocol level captures. When '(Address Pairs)' is selected, you filter network traffic between specific NICs or computers in the network and choose in which direction traffic should be filtered, whether in one direction or in both directions. If you select the '(Pattern Matches)' option, you filter which packets are collected to meet a specific pattern in Hex or ASCII, and you fine-tune the pattern match by selecting a specific position within the packets to query for. This type of highly defined pattern match is called a packet offset.
Triggers are created in the Capture Trigger dialog box, as shown in Figure 7-10. When a certain condition, or a set of conditions, defined for the capture trigger is met, the trigger can stop the capture and run a program or batch file. Figure 7-10 shows which events cause the execution of a trigger, and the result when a trigger condition has been met.
Figure 7-10. The Capture Trigger dialog box in Network Monitor.
Triggers can also be set for remote networks using the Windows NT Network Monitor Agent driver. If the trigger involves running a program or a batch file, the execution will be invisible to users of the remote system. Execute Command Line triggers set on a remote capture always run on the remote system.
Viewing Captured Data
When viewing captured data, the Summary window (Figure 7-11) displays a summary of all frames captured. A display filter can be set to filter frames of interest, such as those from a particular host or those using a particular protocol. Colors can be added to highlight specific frames.
Figure 7-11. The Network Monitor Capture Summary window.
The Network Monitor Capture Summary window has three panes. The toolbar's Zoom tool can be used to maximize or reduce each pane. To view all three panes simultaneously, double-click any frame.
- The Summary pane
- Detail pane
- Hex pane
This pane lists all frames included in the current view of the captured data. When a frame is highlighted in the Summary pane, Network Monitor displays the frame's contents in the Detail and Hex panes (2 and 3 in Figure 7-11).
The columns in the Summary pane can be moved and resized. The nine columns in the Summary pane are as follows:
Column | Description |
---|---|
Frame | All frames captured during one capture session are numbered in order of capture time. The frame number appears in this column. If a display filter is set, this column displays only those frames matching the filter. |
Time | Displays the frame's capture time relative to the beginning of the capture process. Depending on display settings (see the Display Options menu item), this may indicate time of day when the frame was captured or time elapsed since the previous frame capture. |
Src MAC Addr | Displays the NIC hardware address or the NetBIOS name of the computer sending the frame. |
Dst MAC Addr | Displays the NIC hardware address or the NetBIOS name of the computer receiving the frame. |
Protocol | The highest-layer protocol used to transmit the frame. |
Description | A summary of the frame's contents. The summary information can show the first protocol used in that frame, the last protocol used in that frame, or an automatic selection. |
Src Other Addr | An identifying address for the originator of the frame other than the media access control address. This might be an IP or IPX address. |
Dst Other Addr | Same as above, except that it is the destination of the frame. |
Type Other Addr | Displays the address type of the addresses displayed in the Src Other Addr and Dst Other Addr columns. |
This pane displays protocol information for the frame currently highlighted in the Summary pane. When a frame contains several protocol layers, the Detail pane displays the outermost level first.
When a protocol is selected in the Detail pane, the associated hexadecimal strings for the current frame are highlighted (in the same color as that used for the protocol) in the Hex pane. If a protocol has a "+" beside it, more information will appear in the Detail pane by clicking the protocol or by selecting the protocol and pressing ENTER. When the protocol information is expanded, a line of data appears for each property associated with that frame.
This pane displays, in hexadecimal format, the content of the selected frame. The highlighted information in the Detail pane will show the corresponding hexadecimal data highlighted in the Hex pane. Network Monitor displays each byte in the frame as two hexadecimal characters, 00 to FF. The corresponding ASCII characters appear on the right. If the Read Only menu option (on the Display menu) is cleared, the frame's contents can be edited by changing hexadecimal values or by typing text in the ASCII section.
Printing and Saving Data
Captures can be printed in summary or expanded mode, printing all, or a range, of frames. In addition, captured data can be saved for viewing at a later time.
NOTE
For additional information on SMS Network Monitor, view the online Network Monitor help file (NETMON2.CHM). For additional information on the Monitor Control Tool, view the Monitor Control Tool online help file (MCSUI.CHM).
Exercise 40: Analyzing Network Traffic Using Network Monitor and Experts
In this exercise, you will use the SMS 2.0 version of Network Monitor and the Network Monitor Experts to analyze local network traffic. If the SMS Administrator console is not running, start it now.
- Select the Tools node from the SMS console tree.
- In the console tree, click Network Monitor. Then from the Action menu, choose All Tasks.
- Select Start Network Monitor.
A menu appears.
The Microsoft Network Monitor window appears.
In the following steps, you will add entries in the address database for the site server.
- Switch to the SMS Administrator console, then use the All Systems collection to determine the media access control address of the site server computer. This information is stored in the Resource Explorer if the site server has been inventoried. If it has not been inventoried, you obtain this information from the Network tab in Windows NT Diagnostics. Document the media access control address on the line below.
- Ping Computer 2 to determine its media access control address. At a command prompt, type ping Computer2 and then press ENTER.
- Type arp _g and then document Computer 2's media access control address on the line below.
- Switch back to Network Monitor.
- On the Capture menu, choose Addresses.
- Click Add.
- In the `Address' field, type the media access control address for Computer 2. Do not include the dashes between the numbers in the address.
- In the `Name' field, type COMPUTER2.
- If you are not running this exercise on an Ethernet network, change ETHERNET listed in the `Type' list box to the appropriate network type and then click OK.
- Under the `Name' column, select LOCAL with the address of the site server computer and a type of ETHERNET, then click Edit.
- In the `Name' box, type SERVER1, then click OK.
- Click Save.
- In the `File Name' field, type default and then click Save.
- Click Yes.
- Click Close.
The Address Database dialog box appears.
The Address Information dialog box appears.
The Address Database dialog box appears displaying Computer 2's address.
The Address Information dialog box appears displaying the media access control address of the site server computer.
The Address Database dialog box appears displaying both computer addresses.
The Save Addresses as dialog box appears.
The Save Addresses as message box appears indicating the file already exists, and prompts you to replace it.
The Address Database dialog box appears.
In the following steps, you will configure a capture filter to capture traffic between Computer 1 and Computer 2.
- On the Capture menu, choose Filter.
- Under '(Address Pairs),' select INCLUDE *ANY <--> *ANY, then click Edit.
- Under 'Station 1,' select SERVER1 using the media access control address.
- Under 'Station 2,' select COMPUTER2.
- Under Direction, select <-->, then click OK.
- Click OK.
The Capture Filter dialog box appears.
The Address Expression dialog box appears.
The Capture Filter dialog box appears. Notice under (Address Pairs) that the entries for the site server and Computer 2 appear.
The Network Monitor window appears.
In the following step, you will start a capture session.
- On the Capture menu, choose Start.
The network capture is started. Notice data appears in the four Network Monitor panes.
In the following steps, you will generate network traffic for the capture session from Computer 2 and then answer questions based on the captured data.
- Logon to Computer 2 and start a command prompt.
- Type net view \\server1, then press ENTER.
- Close the command prompt window and return to Network Monitor running on Computer 1.
- On the Capture menu, choose Stop.
- On the Capture menu, choose Display Captured Data.
- On the Display menu, choose Colors.
- Under 'Name,' select R_SRVSVC. Then under 'Foreground,' select the red bar.
- Click OK.
- Under the `Description' column, search for RPC Client call srvsvc:NetrShareEnum(..).
- The next frame should appear with a description of RPC Server response srvsvc:NetrShareEnum(..).
- Double-click the server's response frame.
- In the Detail pane (middle), expand Frame: Base frame properties.
- In the Detail pane (middle), expand IP: ID = value; Proto = TCP; Len: value.
- In the Detail pane (middle), select R_SRVSVC: RPC Server response srvsvc:NetrSHareEnum(..).
- In the Hex pane (bottom), scroll to find the list of share resources that are available on SERVER1.
- From the Summary pane (top), open the last frame of the capture. Then from the Detail pane (middle), expand STATS.
The network capture is stopped. Notice the data that appears in the Network Monitor panes.
The Microsoft Network Monitor — [Capture: 1 (Summary)] window appears displaying the traffic that was captured.
The Protocol Colors dialog box appears.
All captured frames that are RPC calls to the server service are displayed in red.
This is the client computer requesting the list of shared resources from the server.
This is the server's response to the request for the list of shared resources.
The Microsoft Network Monitor _ [Capture: 1 (Summary)] window displays three panes.
How large was the packet?
Answer
What is the source IP address?
Answer
Answer
What shares were listed for SERVER1?
Answer
What was the elapsed time of the capture?
How many bytes were transmitted during the capture session?
Were there any broadcast frames in the capture?
Answer
In the following steps, you will save the capture session.
- On the File menu, choose Save As.
- In the `File Name' field, type shares and then click Save.
The Save as dialog box appears.
In the following steps, you will use Network Monitor Experts to help analyze the captured data and answer questions from data provided by the experts.
- On the Tools menu, choose Experts.
- Under 'Groups,' select Protocol Distribution, then click Add to Run List.
- Under 'Groups,' select Top Users. Then click Add to Run List.
- Click Run Experts.
- From the Window menu, choose Cascade.
- Select Expert Status View window.
- In the [Run 1: filepath\*.cap] window, notice the Protocol Distribution and Top Users tabs.
- Select the Top Users tab.
- On the File menu, choose Exit.
- If a Save Address Database? message box appears, click No.
The Network Monitor Experts dialog box appears.
The Microsoft Network Monitor _ [Run 1: filepath\*.cap] window appears.
The Expert Status View, [Run 1: filepath\*.cap], Capture: 1 (Detail), and the \ETHERNET\NET media access control address Capture Window (Station Stats) dialog boxes appear.
Notice that all experts were 100 percent successful in completion.
Which protocol (other than FRAME or ETHERNET) generated the highest number of frames?
Which protocol generated the highest number of bytes claimed?
Answer
Which address generated the highest number of frames?
Which address generated the highest number of bytes?
Answer
Network Monitor closes.
Exercise 41: Configuring the Network Monitor Control Tool
In this exercise, you will configure a monitor for using the Network Monitor Control Tool that detects invalid IP address ranges. If the SMS Administrator console is not running, start it now.
- In the SMS console tree, expand the Tools node and select Network Monitor.
- On the Action menu, select All Tasks and then choose Start Network Monitor Control Tool.
- Under 'Installed Monitors,' select IPRange Monitor, then click Enable.
- Click Yes.
- Under 'Invalid Addresses,' type 128.1.2.1 in both the 'Source' and 'Destination' boxes.
- Click Set Monitor Configuration.
- Click Yes.
- Under 'Enabled Monitors,' select IPRange Monitor 1, then click Start.
The Monitor Control Tool window appears displaying the available monitors for the local computer.
The Monitor is not configured message box appears, prompting you to configure the monitor now.
The Configure IPRange Monitor dialog box appears displaying the list of valid and invalid IP addresses.
This is the IP address of Computer 2. While this is a valid address, you will have the monitor tell you it is invalid for testing.
A Security Alert message box appears, prompting you to send this information to the Internet zone.
The Monitor Control Tool window appears with IPRange Monitor 1 under 'Enabled Monitors.'
Notice the IPRange Monitor 1 status has changed to Running.
In the following steps, you will access Computer 2 to cause the monitor to signal an event.
- Start a command prompt.
- Type ping 128.1.2.1 and then press ENTER.
- Close the command prompt window.
- In the third pane of the Monitor Events tab, read the IP Range monitor details.
- Close the Monitor Event Viewer window.
- In the Monitor Control Tool window, select the IPRange Monitor 1 under `Enabled Monitors' and then click Stop.
- On the File menu, click Exit.
The Monitor Event Viewer window appears, displaying all events that have been registered by running monitors.
Notice the information presented indicating that the event is an invalid source address, showing which the computer that monitored the event, and presenting the offending addresses.
The Monitor Control Tool window appears.
Категории